Silk Guardian

From Gentoo Wiki
Jump to:navigation Jump to:search

Silk Guardian is a Linux kernel module kill switch that upon detecting changes to USB ports, wipes the RAM, securely deletes user specified files, and then shuts down the system.



Silk Guardian needs to be built manually since it can only be configured by modifying the source code prior to being built.

Install the required dependencies:

root #emerge --ask --noreplace dev-vcs/git

Clone the Silk Guardian Git repository:

root #git clone /usr/local/src/silk-guardian

Silk Guardian activation can be prevented by adding known USB devices to a whitelist. The whitelist format is { USB_DEVICE(0x<vendor-id>, 0x<product-id>) },, where <vendor-id> and <product-id> are 4 digit hexadecimal numbers returned by lsusb. For example, to whitelist a Logitech G105 keyboard, add its vendor ID (046d) and product ID (c248) to the whitelist_table array in config.h:

FILE /usr/local/src/silk-guardian/config.h
static const struct usb_device_id whitelist_table[] = {
	{ USB_DEVICE(0x046d, 0xc248) },

When activated, Silk Guardian will securely delete user specified files with shred. This feature is particularly useful when sensitive files are stored on the system. For example, to securely delete the user Larry's SSH and GnuPG private keys, add the following to the remove_files array in config.h:

FILE /usr/local/src/silk-guardian/config.h
static char *remove_files[] = {
	NULL,	/* Must be NULL terminated */

Build and install Silk Guardian:

root #cd /usr/local/src/silk-guardian
root #make && make install
The Silk Guardian kernel module will need to be built and installed every time a new kernel is installed.


Kernel module

The Silk Guardian kernel module can be loaded manually by the modprobe command:

root #modprobe silk

To manually remove the Silk Guardian kernel module:

root #modprobe -r silk

The Silk Guardian kernel module can also be loaded automatically at boot:

FILE /etc/modules-load.d/silk-guardian.conf


  • Silk Guardian can be activated when an unknown USB device is plugged into the system. This could be useful in stopping a malicious USB device from installing malware or a backdoor onto the system.
  • Silk Guardian can be activated by unplugging a known USB device from the system that has not been whitelisted. In this case, the known USB device needs to be plugged into the system prior to loading the Silk Guardian kernel module. This is useful when the system needs to be quickly secured, especially when disk encryption is utilized.


To uninstall Silk Guardian:

root #modprobe -r silk
root #rm -i /lib/modules/$(uname -r)/extra/silk.ko
root #depmod -a

See also

External resources

  • USBGuard - A software framework that protects against rogue USB devices.